Facebook Launches Java APIs for Encrypted SD Storage

Facebook has announced a new set of Java APIs for encrypting data stored on SD cards. Dubbed "Conceal," the APIs are designed to encrypt large files on disk, initially for Android smartphones.

"What many people don't realize is that Android's privacy model treats the SD card storage as a publicly accessible directory," wrote Facebook software engineer Subodh Iyengar on his company's engineering blog. "This allows data to be read by any app (with the right permissions). Thus, external storage is normally not a good place to store private information."

Conceal is not a general purpose crypto library, Facebook emphasized in its announcement, but "prefers to abstract this choice and use sane defaults." It uses cryptographic algorithms from OpenSSL, an open source toolkit implementing the Secure Socket Layer (SSL) and Transport Security Layer (TSL) protocols. OpenSSL is a large library (about 1MB when built for armv7, Iyengar noted) that would increase the size of an application, but Facebook intends Conceal to be smaller than existing Java crypto libraries. Consequently, the company is shipping Conceal with "a select number" of algorithms from that library, keeping the size bump to 85KB.

"We believe providing a smaller library will reduce the friction of adopting state-of-the-art encryption algorithms, make it easier to handle different Android platform versions, and enable us to quickly incorporate fixes for any security vulnerabilities in OpenSSL as well," he wrote.

Conceal is being released as open source, available on GitHub. Facebook is including a set of pre-built binaries for the OpenSSL crypto functions, so that developers can build their own small OpenSSL binaries with the functions required by Conceal, Iyengar wrote.

"We created Conceal to be small and faster than existing Java crypto libraries on Android while using memory responsibly," Iyengar added.